☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • Banner Grabbing
  • Telnet
  • Netcat
  • NSE Script
  • FTP
  • FTP Exploitation
  • Anonymous Login
  • FTP Browser Client
  • Brute Forcing
  • Configuration files
  • Other
  • Binary and ASCII
  • Download all files from FTP

Was this helpful?

Edit on GitHub
  1. Services Exploitation

21 - FTP

Banner Grabbing

Telnet 

telnet 10.0.0.3 21

Netcat

nc -n 10.0.0.3 21

NSE Script

nmap -sV -script banner -p21 -Pn 10.0.0.3

FTP

ftp 10.0.0.3

FTP Exploitation

Anonymous Login

Note: During the port scanning phase Nmap’s script scan (-sC), can be enabled to check for FTP Bounce and Anonymous Login.

Try anonymous login using anonymous:anonymous credentials.

ftp 10.0.0.3
…
Name (10.0.0.3:kali): anonymous
331 Please specify the password.
Password: [anonymous]
230 Login successful.

List all files in order.

ftp> ls -lat
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
…
226 Directory send OK.

FTP Browser Client

Due to its insecure nature, FTP support is being dropped by Firefox and Google Chrome.

Try accessing ftp://user:pass@10.0.0.3 from your browser. If not credentials provided anonymous:anonymous is assumed.

Brute Forcing

Configuration files

It is important to examine these config files:

ftpusers
ftp.conf
proftpd.conf

Other

Binary and ASCII

Binary and ASCII files have to be uploading using the binary or ascii mode respectively, otherwise, the file will become corrupted. Use the corresponding command to switch between modes.

Download all files from FTP

wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all
PreviousServices ExploitationNext25, 465, 587 - SMTP

Last updated 2 years ago

Was this helpful?

Se

SecLists includes a handy list of .

FTP default credentials
Brute Forcing SSH